East Bay Cyber
FAQs 5 min read

What Is the Diamond Model of Intrusion Analysis?

The Diamond Model of Intrusion Analysis is a framework analysts use to understand cyber intrusions through four linked elements: adversary, capability, infrastructure, and victim. Instead of treating alerts and indicators as isolated facts, the model helps defenders map relationships and build a clearer picture of how an attack works.

Short Answer

The Diamond Model of Intrusion Analysis organizes an intrusion around four core elements:

  • Adversary
  • Capability
  • Infrastructure
  • Victim

It helps incident responders, threat hunters, and intelligence teams connect evidence into a structured view of attacker behavior rather than relying on disconnected indicators alone.

The Four Core Elements

At the center of the model are four vertices that describe one intrusion event.

Adversary

The adversary is the actor behind the activity. This could be: - a cybercriminal group - a nation-state operator - an insider - an affiliate - an unattributed threat cluster

Analysts do not always know the exact identity. The model still works if the adversary is described loosely, such as “unknown phishing actor” or “suspected ransomware affiliate.”

Capability

The capability is what the adversary uses to achieve an effect. This may include: - malware - phishing lures - exploit chains - credential theft tools - scripts - persistence methods - living-off-the-land techniques

A capability does not have to be a malware family. It can also be a technique, workflow, or toolset used in the intrusion.

Infrastructure

The infrastructure is the delivery or communication path the adversary relies on. Examples include: - domains - IP addresses - VPS instances - email accounts - command-and-control servers - staging servers - abused cloud services

This is often where defenders first gain visibility, because infrastructure creates observable points for monitoring, blocking, and correlation.

Victim

The victim is the target of the intrusion. That might be: - a person - a user account - a department - a business unit - a company - a server - an application or dataset

The victim side matters because attacks are directed at something of value, not just systems in the abstract.

Why It Is Called a Diamond

The framework is visualized as a diamond because these four elements are connected. A single intrusion event can be described as:

  • an adversary
  • using a capability
  • through infrastructure
  • against a victim

That structure makes it easier to describe an attack as a relationship rather than as a flat list of IOCs.

For example:

  • Adversary: unknown phishing operator
  • Capability: credential-harvesting kit
  • Infrastructure: spoofed login domain and sender infrastructure
  • Victim: finance users in one business unit

That is far more useful than a single malicious domain or filename because it explains what role each piece plays.

How Analysts Use the Diamond Model

The Diamond Model of Intrusion Analysis is practical because it supports several types of security work.

Incident response

During an incident, the model helps responders organize known facts and identify gaps. If you know the malware and callback domain but not the full victim scope, the missing piece becomes obvious.

Threat hunting

Hunters can pivot from one element to another, such as: - from a domain to related victims - from a malware family to reused infrastructure - from a targeted department to likely attack methods

This supports structured investigation instead of random searching.

Threat intelligence

Intelligence teams use the model to cluster events, compare campaigns, and understand reuse. Useful questions include: - Is this infrastructure reused across incidents? - Does the same capability appear with multiple adversaries? - Are similar victims being targeted repeatedly?

Executive communication

The model also helps simplify incident reporting for leadership. Framing an intrusion around attacker, method, infrastructure, and target is easier to communicate than presenting a long list of raw indicators.

Why the Model Matters

The biggest value of the Diamond Model is that it emphasizes relationships, not just artifacts.

Security teams often collect: - hashes - IPs - domains - filenames - alerts - usernames

Those details matter, but on their own they do not explain the intrusion. The Diamond Model helps teams answer how the parts connect and what the activity means.

That makes it useful for: - scoping incidents - clustering related activity - improving threat hunts - building better detections - producing clearer reporting

For more on related frameworks and workflows, see: - What Is MITRE ATT&CK and How Do Teams Use It? - What Is Threat Hunting?

A Simple Example of the Model in Practice

Imagine a company sees repeated login attempts against Microsoft 365 accounts, followed by a successful phishing email to one employee.

Using the model, an analyst might document:

Adversary

An unknown actor targeting finance staff.

Capability

A phishing kit designed to capture credentials and MFA tokens.

Infrastructure

A spoofed login domain, email sender infrastructure, and hosting service used for the phishing page.

Victim

A finance employee account with access to invoice workflows.

Now the investigation has structure. The team can hunt for: - other users targeted by the same infrastructure - similar phishing emails - related domains - signs of account misuse after compromise

Common Misconceptions

“The Diamond Model is just for attribution.”

False. Attribution can be part of it, but the main purpose is to structure intrusion data and show relationships among the elements.

“You need to know the exact threat actor.”

Incorrect. Many incidents begin with incomplete attribution. The adversary can remain unknown while the rest of the model still provides value.

“It replaces MITRE ATT&CK.”

No. ATT&CK and the Diamond Model are complementary. ATT&CK describes tactics and techniques, while the Diamond Model helps organize the entities and relationships in a specific intrusion.

“It is only useful for advanced threat intel teams.”

False. Even small SOCs and incident response teams can use the model informally to organize investigations and communicate clearly.

Final Takeaway

The Diamond Model of Intrusion Analysis helps analysts move from isolated evidence to structured understanding. By mapping an intrusion through adversary, capability, infrastructure, and victim, defenders get a clearer view of what happened, why it matters, and where to investigate next.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.